Home / Companies / Detectify / Blog / January 2018

January 2018 Summaries

2 posts from Detectify

Filter
Month: Year:
Post Summaries Back to Blog
Detectify is a leading platform in External Attack Surface Management (EASM), known for its high accuracy of 99.7% in vulnerability assessments, making it a trusted resource for ProdSec and AppSec teams to understand potential exploitation methods of Internet-facing applications. The platform utilizes a unique approach by automating ongoing, real-world, payload-based attacks that are crowdsourced from a global network of elite ethical hackers, effectively identifying critical vulnerabilities in advance. Interested users can explore the platform's capabilities through a two-week free trial.
Jan 23, 2018 62 words in the original blog post.
On January 9, Frans Rosén from Detectify identified a vulnerability in the TLS-SNI-01 domain validation method used by Let’s Encrypt, which could potentially allow attackers to issue SSL/TLS certificates for domains they do not own, thus jeopardizing secure web browsing. This flaw could be exploited particularly when cloud providers host multiple users on the same IP address without proper domain ownership validation, allowing attackers to intercept traffic on seemingly secure websites. In response, Let’s Encrypt promptly disabled TLS-SNI-01 validation, urging users to adopt HTTP-01 or DNS-01 validation methods instead, and announced plans to completely phase out TLS-SNI-01 and TLS-SNI-02. Major providers like AWS CloudFront and Heroku acted swiftly to mitigate the vulnerability by preventing the addition of domains ending with .invalid. Let’s Encrypt plans to collaborate with the IETF ACME working group to ensure future specifications address this security concern.
Jan 12, 2018 583 words in the original blog post.